Two US power plants infected with malware spread via USB drive

Investigators find no up-to-date antivirus, system backups for control systems.

Critical control systems inside two US power generation facilities were found infected with computer malware, according to the US Industrial Control Systems Cyber Emergency Response Team.

Both infections were spread by USB drives that were plugged into critical systems used to control power generation equipment, according to the organization's newsletter for October, November, and December of 2012. The authors didn't identify the owners of the facilities and there's no indication the infections resulted in injuries or equipment failures.

The incidents were reported earlier by Threat Post, and they are the latest to underscore the vulnerabilities posed by so-called supervisory control and data acquisition systems that aren't properly secured. SCADA and industrial control systems use computers to flip switches, turn dials, and manipulate other controls inside dams, power-generation plants, and other critical infrastructure. Computer malware that infects those systems can pose a threat by giving remote attackers the ability to sabotage sensitive equipment. Last year, a backdoor in a widely used piece of industrial software allowed hackers to illegally access a New Jersey company's internal heating and air-conditioning system.

According to one of the articles in the newsletter, one of the infections was discovered after an employee experienced problems with the USB drive and called in IT staff to troubleshoot.

"When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits," the newsletter reported. "Initial analysis caused particular concern when one sample was linked to known sophisticated malware."

Based on the article, it's not clear if the control system workstations use any form of antivirus protection.

"While the implementation of an antivirus solution presents some challenges in a control system environment, it could have been effective in identifying both the common and the sophisticated malware discovered on the USB drive and the engineering workstations," it said. The report also noted the workstations had no backup mechanism, so "an ineffective or failed cleanup would have significantly impaired their operations."

The other infection affected 10 computers in a turbine control system. It was also spread by a USB drive and "resulted in downtime for the impacted systems and delayed the plant restart by approximately three weeks," the article stated. It went on to encourage owners and operators of critical infrastructure to "develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media."

USB drives have remained the weak link in many industrial control systems, which often lack Internet connections to minimize exposure to malicious software. The Stuxnet worm and the Flame malware—both of which were reportedly developed by the US and Israel to attack and spy on critical systems in Iran—relied on USB drives to propagate attack code and to ferry intercepted communications over air-gapped networks. Microsoft has patched the vulnerabilities that made some of those attacks possible on Windows computers, but it's not clear all users have installed them.

Article updated to change accompanying photo.

Promoted Comments

I think the critical issue of malware on infrastructure is intent. Was the malware intended for the power plants or incidental? Both are equally disconcerting from a security standpoint. If malware never intended to reach power plants propagates effectively enough to cause actual damage, but not necessarily life-threatening harm, software specifically designed to target power plants could wreak havoc on the system. Hopefully, the company takes this incident as a reason to implement security procedures designed to stop the spread of malicious software. If the infection encountered was designed to attack infrastructure, there may be significantly more undetected software propagating through the system.

I work in a related industry (power plant simulation), and we regularly get viruses from visiting customers, to the point of us having giant signs everywhere that any customer device, computer, or memory stick must be taken to IT for decontamination.

Granted, simulation is a whole different ball game, but the viruses are definitely in those buildings, without adequate protection it is just a matter of time.

We're just starting to see a trend ( with a few of our more recent jobs ) that even mention things like domains, anti-virus, and group policies. Also, for those that may express surprise, the use of Windows is frequently needed for HMIs, the stations that display information screens for the operators. Typically the control system itself is custom hardware, but the HMI can still be a gateway for a virus. Once the HMI is taken, it can continually hammer the control system until it gets in.

I actually work IT for a company that owns and runs Power Plants and the biggest issue here is that when you pay $250K for a control system from GE, you aren't so quick to switch to the latest greatest thing. That system works great for what it does, it just happens to run on some really old OS. We were recently quoted some AV package by GE that would cost us around $100k per plant site which is a lot of money for a facility that only employs 6 or 7 people. On top of this there is a struggle between the needs of our own enviroment and the needs of the vendor software and hardware. You would be amazed at the requirements of a lot of this ridiculously expensive software. Local admin rights necessary for my operators to run their software? You bet. It's a very specialized, limited industry so it's not like there is a lot of competition in this space.

It is amazing to me that these systems are not hardened not only on the O/S level, but the hardware level as well. Why are these USB ports even accessible?

No kidding - it's trivial to disable the ports in BIOS, and on Windows PCs you can do it using Group Policy. Why would a system this critical need to move files on USB drives? How many companies have been infected by flash drives bad guys drop in the parking lot, knowing some unsuspecting employee will plug them right in to see what's on there?

I think the critical issue of malware on infrastructure is intent. Was the malware intended for the power plants or incidental? Both are equally disconcerting from a security standpoint. If malware never intended to reach power plants propagates effectively enough to cause actual damage, but not necessarily life-threatening harm, software specifically designed to target power plants could wreak havoc on the system. Hopefully, the company takes this incident as a reason to implement security procedures designed to stop the spread of malicious software. If the infection encountered was designed to attack infrastructure, there may be significantly more undetected software propagating through the system.

I work in a related industry (power plant simulation), and we regularly get viruses from visiting customers, to the point of us having giant signs everywhere that any customer device, computer, or memory stick must be taken to IT for decontamination.

Granted, simulation is a whole different ball game, but the viruses are definitely in those buildings, without adequate protection it is just a matter of time.

We're just starting to see a trend ( with a few of our more recent jobs ) that even mention things like domains, anti-virus, and group policies. Also, for those that may express surprise, the use of Windows is frequently needed for HMIs, the stations that display information screens for the operators. Typically the control system itself is custom hardware, but the HMI can still be a gateway for a virus. Once the HMI is taken, it can continually hammer the control system until it gets in.

It is amazing to me that these systems are not hardened not only on the O/S level, but the hardware level as well. Why are these USB ports even accessible?

No kidding - it's trivial to disable the ports in BIOS, and on Windows PCs you can do it using Group Policy. Why would a system this critical need to move files on USB drives? How many companies have been infected by flash drives bad guys drop in the parking lot, knowing some unsuspecting employee will plug them right in to see what's on there?

I work at a nuclear plant, and along with the rest of the industry we finished implementing a whole slew of security upgrades by the end of 2012 to comply with an NRC order. The main thing was to ensure that critical digital assets (CDAs) such as the computer that gathers data and performs calculations to ensure we are running within limits is only accessible within the protected area (the area behind about 3 fences and can only be accessed through a security checkpoint). Once inside the PA, most CDAs are located in a locked area (not sure if it is part of the order or just how my plant approaches it). Anything that touches these computers needs to be cataloged and sanitized before it can be plugged in. It's a real pain to deal with and I need to go inside the PA frequently to get data that I used to be able to access from desk outside, but it should prevent a Stuxnet-type virus from affecting critical systems.

I actually work IT for a company that owns and runs Power Plants and the biggest issue here is that when you pay $250K for a control system from GE, you aren't so quick to switch to the latest greatest thing. That system works great for what it does, it just happens to run on some really old OS. We were recently quoted some AV package by GE that would cost us around $100k per plant site which is a lot of money for a facility that only employs 6 or 7 people. On top of this there is a struggle between the needs of our own enviroment and the needs of the vendor software and hardware. You would be amazed at the requirements of a lot of this ridiculously expensive software. Local admin rights necessary for my operators to run their software? You bet. It's a very specialized, limited industry so it's not like there is a lot of competition in this space.

It is amazing to me that these systems are not hardened not only on the O/S level, but the hardware level as well. Why are these USB ports even accessible?

There is an assumption made by most hardware and software designers that the customer is not a complete idiot. Sadly, this is often not true. I think we need to start hiring very unitellegent people to do software testing (in addition to proper, skilled testers) to test everything that any random idiot could do to a system.

How many control systems can you think of that would withstand the "spilling a coke on the console" test?

I actually work IT for a company that owns and runs Power Plants and the biggest issue here is that when you pay $250K for a control system from GE, you aren't so quick to switch to the latest greatest thing. That system works great for what it does, it just happens to run on some really old OS. We were recently quoted some AV package by GE that would cost us around $100k per plant site which is a lot of money for a facility that only employs 6 or 7 people. On top of this there is a struggle between the needs of our own enviroment and the needs of the vendor software and hardware. You would be amazed at the requirements of a lot of this ridiculously expensive software. Local admin rights necessary for my operators to run their software? You bet. It's a very specialized, limited industry so it's not like there is a lot of competition in this space.

GE's Mark VI has a virtual used in simulation that is a 16-bit application, if that underscores the point any. A lot of these things are OLD.

It is amazing to me that these systems are not hardened not only on the O/S level, but the hardware level as well. Why are these USB ports even accessible?

There is an assumption made by most hardware and software designers that the customer is not a complete idiot. Sadly, this is often not true. I think we need to start hiring very unitellegent people to do software testing (in addition to proper, skilled testers) to test everything that any random idiot could do to a system.

How many control systems can you think of that would withstand the "spilling a coke on the console" test?

On a hardpanel, yes, they'd survive a coking. Most of them use mechanical switches, dials, etc, potentially for this very reason. I've even seen ones that are duct-taped on, or have duct-tape labels. On a console, well, no, but let's hope it was an HMI and not controlling anything important, right? *gulp*

I've never worked in power center control systems, but I have worked in and written software for control centers with billions of dollars of hardware in control. Catestrophic failures were always a concern there - every day.

* Put superglue into every USB port.* Remove all CDs and DVD and Bluray drives.* Use PS2 ports if a mouse and keyboard are needed, but it is best if those are not used too.* Only allow authorized people physical access to the machines.

If a stupid tech did this, sue them and their company away forever. Name the names, especially the person who didn't follow the process.

A tiny part of my job was introducing software to the control center systems and network. I took it extremely seriously. We had a clear process to follow for anything brought in. That process was constantly reviewed, but seldom modified. It was not possible to get anything inside without going through the process.

We had a "software introduction server" that all software was loaded into, scanned for Windows viruses using 3 different up-to-date scanners from different vendors, backed up to tape, and the software would show up on an internal network drive the following day for installation. That server was not on the control center network. It sat disconnected from the world until after all the scans were performed. The security officer maintained it, not me and definitely not some outside vendor working there for a day.

Control systems are serious. You want serious people working there and managing the systems.

Running old hardware and old OSes is common for these places. That is why you never let them connect to any outside network and you never allow any outside computers onto the internal network unless you are 100% positive they are clean. 100% positive means HDDs are wiped and an OS is loaded from the master DVD provided by the vendor. USB flash drives can be used, but only if they are brand new and wiped by an incompatible OS first.

USB ports, DVDs, CDs and USB drives? For get it. Not on control system networks. The risk is too great, as we've seen the last ... er ... 4 yrs?

It is amazing to me that these systems are not hardened not only on the O/S level, but the hardware level as well. Why are these USB ports even accessible?

I can give you one example. At the nuclear plant I work with, we have a large constantly running piece of equipment (a variable frequency drive). It is controlled by a PLC, which is controlled by a Windows console built into the equipment (this is airgapped - no network connection). When there is a minor problem (such as getting close to a temperature limit) with this equipment an alarm will go off in the control room but someone will have to physically go to the equipment and investigate the alarm at the local panel. A report/data dump is generated which can be copied to a USB drive (since it can't be transferred on a network) and sent to the vendor for analysis if the issue is new or other unexplained. Furthermore, due to the design of the controls, this information will be cleared in a day or two. With the inertia in the nuclear scheduling process, you could not count on someone who is qualified to re-enable a USB port before the data is gone. Rather, someone can grab a sanitized flash drive, plug it in the console and get the data.

I do network security for SCADA and associated networks in the power industry, so this is right up my alley. To address a few comments above:

atlcomputech: The reason this stuff doesn't run on hardened physical systems or hardened OSes is because the SCADA systems are generally supposed to be properly air-gapped from non-production networks, and business processes are supposed to inform staffers about properly sanitizing physical media used for moving data and software.

Here's the thing about SCADA software: It's written by industrial process engineers who know tons about process control. What they don't know is the complexities of network security, or physical security, or systems security. If you pay attention, it also becomes clear that a lot of the time, they don't even know much about coding. They barely understand the complex network protocols they're using.

And then there's the problem of currency. These systems don't stay current, because they're complex and expensive. The systems are written to APIs that are decades old, using network protocols even older. The systems are fragile… Some are so poorly written that backing up a running SCADA process will crash the process. Virus scanning the data files in use by the running SCADA software can crash the process. Frequently, just installing certain OS patches will cause the SCADA system to fail, and you never know which one's going to blow up in your face unless you test every patch prior to rolling out. And the embedded systems are even worse. They're frequently using custom software on custom OSes on custom hardware, that was designed by people who knew more about process control than they did about systems design. They may have critical bugs that the manufacturer has no desire to fix because they can't afford to regression test a new version, but the customer doesn't want to buy a newer, more secure unit because the old one works, and installing a new one would cost money, time, and interrupt production while it's being installed.

It is amazing to me that these systems are not hardened not only on the O/S level, but the hardware level as well. Why are these USB ports even accessible?

There is an assumption made by most hardware and software designers that the customer is not a complete idiot. Sadly, this is often not true. I think we need to start hiring very unitellegent people to do software testing (in addition to proper, skilled testers) to test everything that any random idiot could do to a system.

How many control systems can you think of that would withstand the "spilling a coke on the console" test?

Lol the majority of people in the industrial sector that run and maintain these machines, HMIs, and computers have enough knowledge to operate a microwave and Word,Excel,&Email. That's pretty much it. Any computer related technology is almost guaranteed to be stock/default from the manufacturer or from initial setup.

The entire industrial sector operates under one belief: Minimum Work needed for Maximum Profit. They aren't even remotely considering security loopholes, let alone think about disabling USB boot and securing ports and the like. Until it becomes a problem, it won't be addressed.

I actually work IT for a company that owns and runs Power Plants and the biggest issue here is that when you pay $250K for a control system from GE, you aren't so quick to switch to the latest greatest thing. That system works great for what it does, it just happens to run on some really old OS. We were recently quoted some AV package by GE that would cost us around $100k per plant site which is a lot of money for a facility that only employs 6 or 7 people. On top of this there is a struggle between the needs of our own enviroment and the needs of the vendor software and hardware. You would be amazed at the requirements of a lot of this ridiculously expensive software. Local admin rights necessary for my operators to run their software? You bet. It's a very specialized, limited industry so it's not like there is a lot of competition in this space.

I no longer do systems analysis so I may be out of date. However, across the pond they just found malware just sitting there for several years. I'm quite sure there are folks in the MidEast who are mad about Stuxnet and will pay decent coders (not like the Anonymous folks, but still) to have some fun.

That is: bringing down the grid, repeatedly, will cost a lot of money to fix. But as we used to say: "There's never enough time and money to do it right the first time, but there's always enough time and money to do it right the second time."

On top of this there is a struggle between the needs of our own enviroment and the needs of the vendor software and hardware. You would be amazed at the requirements of a lot of this ridiculously expensive software. Local admin rights necessary for my operators to run their software? You bet. It's a very specialized, limited industry so it's not like there is a lot of competition in this space.

Another thing to note is that the vendors will often only support the systems (which is a necessity) if you don't modify them. Installing other software, patches, OS updates, or anti-virus software will often make the system unsupportable.

It's really an issue of an industry that has never considered computer security, with no easy or cheap way to deal with it. It's much the same situation as MS was in in the mid-90s, except that these are extremely expensive and critical applications and system that have a much longer intended life, written by people who typically couldn't get a job at MS. They either aren't very competent, or their competence lies in engineering, not general programming, and certainly not modern programming ideas and things like security. The medical industry is plagued by the same kind of problems. Typically, the more specialized and critical a system is, the worse a piece of software it is. After working in both the industrial and medical sectors, it's actually pretty amazing anything works at all, it's that much of a mess.

"Shit, they turned off the USB ports?""Crap... now what are we gonna do?""Um... hey, open your browser and see if you can download that suspicious pr0n.zip file from my dropbox account. Haven't check it out yet, but I bet it's awesome!""COOL!"

"Shit, they turned off the USB ports?""Crap... now what are we gonna do?""Um... hey, open your browser and see if you can download that suspicious pr0n.zip file from my dropbox account. Haven't check it out yet, but I bet it's awesome!""COOL!"

Air Gap

Oh well there's always re-writable CDROMS, after all it was good enough for Bradley Manning!

If you hire some Homer without the wit to pour piss out of a boot, with the instructions on the sole this is what you get.

From the descriptions here it seems like for the companies that write software for these uses regard their software and the platforms they are supposed to run on as if they are parts of a mechanical machine.

There are some places I go to, that require any electronics to be left at the door or sent to IT to be thoroughly scrubbed. It is not power production related though. They also don't allow foreign flash drives.

In my opinion, if you want a secure system, do not connect it to the Internet and do not allow portable devices (from the outside and those from the inside that haven't been scanned) to be connected to it. It does make logistics more complicated and it won't be 100% infection proof, but it will definitely limit the chances of malware getting in.

Always assume that people are stupid when it comes to malware/viruses and plan accordingly.

I actually work IT for a company that owns and runs Power Plants and the biggest issue here is that when you pay $250K for a control system from GE, you aren't so quick to switch to the latest greatest thing. That system works great for what it does, it just happens to run on some really old OS. We were recently quoted some AV package by GE that would cost us around $100k per plant site which is a lot of money for a facility that only employs 6 or 7 people. On top of this there is a struggle between the needs of our own enviroment and the needs of the vendor software and hardware. You would be amazed at the requirements of a lot of this ridiculously expensive software. Local admin rights necessary for my operators to run their software? You bet. It's a very specialized, limited industry so it's not like there is a lot of competition in this space.

Couldn't the USB threat be neutralized without having to install AV on all the systems by simply having one workstation (on a network isolated from the internal) that is kept up to date with A/V and mandate that all USB drives be plugged in and A/V scanned by that station prior to being plugged into any internal systems? This also prevents having to tiptoe around old and delicate operating systems that may have issues with the latest and greatest A/V solutions out there. The drives should be scanned on the way out too to monitor if an internal system had gone undetected and infected the a clean USB drive.

It is amazing to me that these systems are not hardened not only on the O/S level, but the hardware level as well. Why are these USB ports even accessible?

I can give you one example. At the nuclear plant I work with, we have a large constantly running piece of equipment (a variable frequency drive). It is controlled by a PLC, which is controlled by a Windows console built into the equipment (this is airgapped - no network connection). When there is a minor problem (such as getting close to a temperature limit) with this equipment an alarm will go off in the control room but someone will have to physically go to the equipment and investigate the alarm at the local panel. A report/data dump is generated which can be copied to a USB drive (since it can't be transferred on a network) and sent to the vendor for analysis if the issue is new or other unexplained. Furthermore, due to the design of the controls, this information will be cleared in a day or two. With the inertia in the nuclear scheduling process, you could not count on someone who is qualified to re-enable a USB port before the data is gone. Rather, someone can grab a sanitized flash drive, plug it in the console and get the data.

Pretty much spot on (and I work at a nuclear plant as well ). Although measures are taken to physically secure any ports on the machines, along with the air gap previously talked about, there are valid reasons to be able to transfer data to/from machines (data collection for troubleshooting, large software configuration change updates, etc). You do need to manage the process with sanitized drives and windows software policies to lock the machines down and restrict user access, along with the appropriate procedures to follow (of course).

I actually work IT for a company that owns and runs Power Plants and the biggest issue here is that when you pay $250K for a control system from GE, you aren't so quick to switch to the latest greatest thing. That system works great for what it does, it just happens to run on some really old OS. We were recently quoted some AV package by GE that would cost us around $100k per plant site which is a lot of money for a facility that only employs 6 or 7 people. On top of this there is a struggle between the needs of our own enviroment and the needs of the vendor software and hardware. You would be amazed at the requirements of a lot of this ridiculously expensive software. Local admin rights necessary for my operators to run their software? You bet. It's a very specialized, limited industry so it's not like there is a lot of competition in this space.

K1LLTACULAR, you've hit the nail on the head. While I do not work on DCS systems, I do work on PLCs (mostly Allen-Bradley). I've been to a couple of facilities that still use RSLogix5000 v13 and RSView32, even though version wise, we are long past that now - RSLogix5000 v20 and FTView 6.1 for HMI software. They have no reason to upgrade to the latest versions because what they are using still works.

On top of that, many of the companies that provide software in the industrial controls category refuse to update said software in what could be considered a normal amount of time; it was 2 years before Allen-Bradley had a Windows 7 compatible software package. While you could install the software on Windows 7, it wasn't supported and they wouldn't provide support other than telling you to get a copy of XP.

Remember, the number one rule of control systems is: If it ain't broke, don't fix it.

From the term "being infected" I conclude that power plants run on ordinary consumer OSes. Probably Microsoft Windows. I mean ... a proprietary OS wouldn't get infected that easy ... apart from Stuxnet.I'm inclined to say ... this makes me nervous.

It is amazing to see the stupidity of control-systems-network NOT being physically ISOLATED from IT networks full of Windows PC which are virus magnets. Of course, this is Stuxnet which propagates via Windows machines into the Siemens control network and infect the Boot prom. It was developed by US intelligence services and when let out in the wild via the Internet will allow millions of stupid Windows PC to be host carriers, awaiting a flash drive to "transport" it. Eventually some silly worker will plug that infected flash drive into a control-system-network and that virus becomes active doing its damage while pretending it is not affecting anything!.

Stuxnet has been outed over a year ago and the suspected SCADA systems identified. All these industrial companies using such SCADA ought to have a swap-out of their old SCADA with newer models. At whatever cost because a total destruction of the site is imminent. Examples, the centrifuges in Iran running to destruction. Control systems of Fukushima's NINE backup generators refuse to switch over when activated.

From the term "being infected" I conclude that power plants run on ordinary consumer OSes. Probably Microsoft Windows. I mean ... a proprietary OS wouldn't get infected that easy ... apart from Stuxnet.I'm inclined to say ... this makes me nervous.

Usually, NO.

The control systems run on embedded industrial network systems. The Network protocols are totally incompatible to your avaerage TC/IP network infrastructure. And they are incompatible because they need to do things very differently...

The problem lies in the HMI (Human-Machine-Interface). Somwhere along this chain there WILL be standard computers. For profane things like keyboards, a mouse and screens. And this stuff only works with standard PC hardware. "Standard" PCs (often *nix, but also windows server) are also needed for important things like data logging and data transfer.

As long as a virus infects the HMI, it can run the plant by sending different HMI inputs to the control system than the real inputs. Now, depending on the safety criticality of a system, the HMI can run everything or the HMI is fairly detached from the actual industrial control system which is designed in hardware to mitigate malicious operator actions.

The "HMI runs everything" SCADA systems are cheaper and quicker to roll out than the paranoid "do everything in hardware" solutions.

Example:Municipal water work systems. This system is set together from a wild mix of ancient systems and modern systems, lots of permanent stop-gaps and it is distributed over a large area. Getting this crazy mix controlled under one hood can only reasonable be achieved with a standard PC-based SCADA system.

On the other hand there are for example turbine control systems. High-speed machinery with an enormous energy density. These control system operate totally differently. Lots of embedded real-time control systems with fault tolerance and automatic and predetermined fault exit strategies implemented in hardware. Here, the plant operator usually just sets boundary conditions and the machinery protects itself while attempting to achieve the set-points given by the operator. Usually, the logic is implemented in analogue or digital logic gates soldered to boards.

It is amazing to me that these systems are not hardened not only on the O/S level, but the hardware level as well. Why are these USB ports even accessible?

I can give you one example. At the nuclear plant I work with, we have a large constantly running piece of equipment (a variable frequency drive). It is controlled by a PLC, which is controlled by a Windows console built into the equipment (this is airgapped - no network connection). When there is a minor problem (such as getting close to a temperature limit) with this equipment an alarm will go off in the control room but someone will have to physically go to the equipment and investigate the alarm at the local panel. A report/data dump is generated which can be copied to a USB drive (since it can't be transferred on a network) and sent to the vendor for analysis if the issue is new or other unexplained. Furthermore, due to the design of the controls, this information will be cleared in a day or two. With the inertia in the nuclear scheduling process, you could not count on someone who is qualified to re-enable a USB port before the data is gone. Rather, someone can grab a sanitized flash drive, plug it in the console and get the data.

I wonder if the solution is some sort of write-only/read-only drive system. For example, your report generator can be made to be write-only, while your data access computer is set to read-only. Then there's no potential for malicious code to go 'upstream', so to speak.

Control systems of Fukushima's NINE backup generators refuse to switch over when activated.

The control systems of any safety critical system in Fukushima were implemented to 100% in trusty, rusty analogue logic. There is nothing for a virus to infect in a nuclear power plant ... at least currently.

New nuclear power plants are forced to use computerized control systems, though, since that is the only thing that can be manufactured today. Usually these modern systems are implemented in FPGA logic with the DA-converter and FPGA logic unit being soldered to one PCB board. They are commonly connected to a data bus system used for data-logging and for non-safety critical HMI. Usually there is a hardware voting mechanism implemented on the board that is connected to physical switches connected to physical cables that can override the HMI. There are also hardwired dials, alarms and displays for safety critical information diverse from the computerized HMI system.

Building, qualifying and getting approval for such a system is horrendously expensive and not applicable for most industrial applications.

I wonder if the solution is some sort of write-only/read-only drive system. For example, your report generator can be made to be write-only, while your data access computer is set to read-only. Then there's no potential for malicious code to go 'upstream', so to speak.

The problem is, can you prove, beyond all reasonable doubt, that the system will always be read-only and cannot under any circumstance influence existing safety control systems?

Try to prove that with a certainty of 1/10^7 over the lifetime of the component! You can't! Qualifying any IT system for more than 1/1000 failure rate in nuclear applications is pretty much the best one can do without starting to invent horrendously complicated self-correcting, self-fault diagnosing, self-fault mitigating systems.

It is much simpler and success is pretty certain, to simply write an order for the operting staff to use a sanitzed USB stick.

It is amazing to me that these systems are not hardened not only on the O/S level, but the hardware level as well. Why are these USB ports even accessible?

Let's take a typical factory setting. You've got factory machines. These contain motors and actuators and all sorts of sensors. The energized parts are wired to breakers, which contain more sensors. All the sensors, buttons, and systems for a machine lead back to a central panel with banks of programmable modules.

Now, elsewhere, there's a pc. A normal, regular pc with software on it that lets engineers take all those components and wire them together. Virtually. Sometimes it's directly connected to that central panel, and sometimes it isn't. They design the logic program, wiring all the pieces together on an electrical/logic map of the machine that controls its behavior and then they upload those instructions into the machine controllers. The vulnerability is the pc.

The controllers themselves are dumb. They aren't really even computers in the strictest sense of the word, they're not even turing complete. They're just digitally reprogrammable FSMs.

A system that is so important should have the USB ports disabled so nothing can be loaded on or taken from the computer. If your system is older and you can't disable the USB ports, all employees should be educated in some policy that says you're not allowed to put anything in the USB ports and even go as far as blocking them physically so the stupids stay out of them.

I actually work IT for a company that owns and runs Power Plants and the biggest issue here is that when you pay $250K for a control system from GE, you aren't so quick to switch to the latest greatest thing. That system works great for what it does, it just happens to run on some really old OS. We were recently quoted some AV package by GE that would cost us around $100k per plant site which is a lot of money for a facility that only employs 6 or 7 people. On top of this there is a struggle between the needs of our own enviroment and the needs of the vendor software and hardware. You would be amazed at the requirements of a lot of this ridiculously expensive software. Local admin rights necessary for my operators to run their software? You bet. It's a very specialized, limited industry so it's not like there is a lot of competition in this space.

You would also think that a company would be interested in protecting its investment in these machines. They should be segregated from regular networks and locked down so they can do nothing except run the control software. Give the operators a second PC from which to surf the internet if you must. Even though it might run Windows, you can't treat it like a Windows PC. It's a customized piece of hardware that just happens to use an off-the-shelf PC as a control panel.

Security is almost 100 percent procedure. I understand that these systems are outdated and expensive, so the solution is that nothing should have the opportunity to infect them. I completely do not understand how these machines aren't locked down with epoxy in the USB ports.